When running the sample code via a bot, make sure that the bot has the Edit your watchlist option set to true, by visiting the Special:BotPasswords page.

This module uses CSRF tokens, not watchlist tokens. CSRF tokens are generally used for POST requests and wiki-modifying actions throughout the Action API, whereas watchlist tokens are used specifically to view another user's watchlist.

Unlike API:Watchlist, which allows you to read an account's private watchlist without logging in, this module requires you to log directly into the account you want to alter.